Description
Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Published: 2026-05-14
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An externally‑controlled format string exists in the PostgreSQL timeofday() function that can be triggered by crafted timezone values. When an attacker can influence the timezone parameter, the function may read portions of the server’s memory and expose them via the query result. The vulnerability is classified as CWE-134 and enables information disclosure, but it does not provide remote code execution or denial of service capabilities.

Affected Systems

The flaw affects PostgreSQL installations running any version earlier than 18.4, 17.10, 16.14, 15.18, or 14.23. It is present in all releases below these thresholds and is mitigated in the subsequent patched versions.

Risk and Exploitability

The weighted score is CVSS 4.3, indicating moderate risk. No EPSS value is reported, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred from the description: an attacker must supply a malicious timezone string, which is possible over the network or via a client that can set the TZ parameter. No additional authentication or privilege requirements are explicitly mentioned, so the threat is potentially available to anyone who can send a query to the database.

Generated by OpenCVE AI on May 14, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PostgreSQL to version 18.4 or newer, or 17.10+, 16.14+, 15.18+, or 14.23+ depending on your current major release.
  • If an upgrade is not immediately possible, validate and sanitize any user‑supplied timezone inputs to ensure they contain only trusted values and no format‑string payloads.
  • Reconfigure the database to disallow arbitrary TZ settings, such as by setting a fixed system‑wide timezone and disabling dynamic TZ assignment for client connections.

Generated by OpenCVE AI on May 14, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6269-1 postgresql-15 security update
Debian DSA Debian DSA DSA-6270-1 postgresql-17 security update
History

Thu, 14 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Postgresql
Postgresql postgresql
Vendors & Products Postgresql
Postgresql postgresql

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Title PostgreSQL timeofday() can disclose portions of server memory
Weaknesses CWE-134
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Postgresql Postgresql
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-14T15:30:37.425Z

Reserved: 2026-04-17T00:36:25.451Z

Link: CVE-2026-6474

cve-icon Vulnrichment

Updated: 2026-05-14T15:30:34.525Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T14:16:24.997

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-6474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T16:30:24Z

Weaknesses